Create incident tasks in Microsoft Sentinel using automation rules

This article explains how to use automation rules to create lists of incident tasks, in order to standardize analyst workflow processes in Microsoft Sentinel.

Incident tasks can be created automatically not only by automation rules, but also by playbooks, and also manually, ad-hoc, from within an incident.

Use cases for different roles

This article addresses the following scenarios that apply to SOC managers, senior analysts, and automation engineers:

Another such scenario is addressed in the following companion article:

Another article, at the following links, addresses scenarios that apply more to SOC analysts:

Important

Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

Prerequisites

The Microsoft Sentinel Responder role is required to create automation rules and to view and edit incidents, both of which are necessary to add, view, and edit tasks.

View automation rules with incident task actions

In the Automation page, you can filter the view of automation rules to see only the ones that have Add task actions defined.

Screenshot showing how to filter automation rules grid.

  1. Select the Actions filter.

  2. Unmark the Select all checkbox.

  3. Scroll down and mark the Add task checkbox.

  4. Select OK and see the results.

    Screenshot showing the results of the filter on the automation rules grid.

    These are the automation rules that add tasks to incidents. The Analytics rule names column tells you which analytics rules these automation rules are conditioned on, so you'll have a general idea of which incidents are affected.

    Note

    To have exact knowledge of whether an automation rule will apply to a particular incident, you must open the rule to see if any additional conditions are defined, besides the analytics rule condition. If other conditions are defined, the scope of the affected incidents will be accordingly narrowed.

Add tasks to incidents with automation rules

  1. In the Automation page, select + Create and select Automation rule.

  2. The Create new automation rule panel will open on the right side.
    Give your automation rule a name that describes what it does.

  3. Select When incident is created as the trigger (you can also use When incident is updated).

  4. Add Conditions to determine to which incidents new tasks will be added.

    For example, filter by Analytics rule name:

    • You might want to add tasks to incidents based on the types of threats detected by an analytics rule or a group of analytics rules that need to be handled according to a certain workflow. Search for and select the relevant analytics rules from the drop-down list.

    • Or, you might want to add tasks that are relevant for incidents across all types of threats (in this case, leave the default selection of All as is).

    In either case, you can add more conditions to narrow the scope of incidents to which your automation rule will apply. Learn more about adding advanced conditions to automation rules.

    One thing you'll need to consider is that the order in which tasks appear in your incident is determined by the tasks' creation time. You can set the order of automation rules so that rules that add tasks required for all incidents will run first, and only afterwards any rules that add tasks required for incidents generated by specific analytics rules.

    Screenshot of first part of automation rule wizard.

  5. Under Actions, select Add task.

    Screenshot of choosing the Add Task action in an automation rule.

  6. For each task, enter a title in the Task title field, and then (optionally) select + Add description to open a description field.
    Only task titles appear by default in the incident's task list panel. A task's description appears only when the task item is expanded.

    Screenshot showing how to add a title and a description to a task.

  7. In the description field you can add a free-form description for the task, including images, links and rich-text formatting (see the hyperlinks, numbered lists, and code-block-formatted text in the examples below).

    Screenshot showing how to add a description to a task.

  8. Add more tasks to the same group of incidents by selecting + Add action and repeating the last three steps.

    Tasks will be created and added to the incident according to the order of the Add task actions in your automation rule.

    Screenshot showing how to add more tasks to an automation rule.

  9. Finish creating the automation rule by completing the remaining steps, Rule expiration and Order, and selecting Apply at the end. See Create and use Microsoft Sentinel automation rules to manage response for full details.

    Regarding the Order setting: The order in which tasks appear in your incidents depends on two things:

    1. The order of execution of the automation rules, as determined by the number in the Order setting, and...
    2. The order of the Add task actions defined within each automation rule.

Next steps